02-17-2011 05:19 AM - edited 03-11-2019 12:52 PM
My web server sits behind an ASA 5500. When I access the web site from outside, it works fine. When I try and access it from the server itself, I get "
I have rules setup to restrict/enable incoming traffic, but I don't have any rules setup to "loop back". Can someone tell me how to configur this?
02-21-2011 04:43 PM
Hi,
My bad david, this is the right config
static (inside,inside) xxx.xxx.235.3 192.168.1.111 netmask 255.255.255.255
global (inside) 1 interface
Same-security-traffic permit intra-interface
Hope it helps.
Mike
02-22-2011 02:53 AM
Okay. I got it to accept these commands. Still not working though.
Entered: static (inside,inside) tcp xxx.xx.249.197 192.168.1.50 http netmask 255.255.255.255
My web application is initiating a web request to itself to wake itself up after going to sleep. The request would come in on a virtual address of 192.168.1.101. I see the traffic on the log when this occurs, but don’t understand what is happening...
I captured the log at what I believe is the point of failure. The xxx.xxx.249.025 is the router address. The 66.129 address is the dns server.
192.168.1.50 physical address of the web server
192.168.1.101 virtual address of the server, which the site is tied to
xxx.xxx.249.197 Public ip address of the site
198.173.65.128 I don’t know what this address is
I am beginning to think this is not possible.
6 Feb 22 2011 01:40:43 305011 192.168.1.50 xxx.xxx.249.205 Built dynamic UDP translation from inside:192.168.1.50/53277 to outside:xxx.xxx.249.205/1025
6 Feb 22 2011 01:40:43 302015 66.129.64.152 192.168.1.50 Built outbound UDP connection 3802683 for outside:66.129.64.152/53 (66.129.64.152/53) to inside:192.168.1.50/53277 (xxx.xxx.249.205/1025)
6 Feb 22 2011 01:40:43 305011 192.168.1.50 xxx.xxx.249.205 Built dynamic TCP translation from inside:192.168.1.50/51205 to outside:xxx.xxx.249.205/1043
6 Feb 22 2011 01:40:43 302013 198.173.75.128 192.168.1.50 Built outbound TCP connection 3802684 for outside:198.173.75.128/110 (198.173.75.128/110) to inside:192.168.1.50/51205 (xxx.xxx.249.205/1043)
6 Feb 22 2011 01:40:43 305011 192.168.1.50 xxx.xxx.249.205 Built dynamic TCP translation from inside:192.168.1.50/51206 to outside:xxx.xxx.249.205/1044
6 Feb 22 2011 01:40:43 302013 198.173.75.128 192.168.1.50 Built outbound TCP connection 3802685 for outside:198.173.75.128/110 (198.173.75.128/110) to inside:192.168.1.50/51206 (xxx.xxx.249.205/1044)
6 Feb 22 2011 01:40:47 305011 192.168.1.50 xxx.xxx.249.205 Built dynamic TCP translation from inside:192.168.1.50/51207 to outside:xxx.xxx.249.205/1045
6 Feb 22 2011 01:40:47 302013 xxx.xxx.249.198 192.168.1.50 Built outbound TCP connection 3802686 for outside:xxx.xxx.249.198/80 (xxx.xxx.249.198/80) to inside:192.168.1.50/51207 (xxx.xxx.249.205/1045)
02-22-2011 09:20 AM
Hi Dave,
Since the traffic initiated from inside is coming on the VIP of the server , you can enable DNS doctoring for it using :-
ASA(config)# no static (inside,outside) tcp xxx.xxx.249.197 www 192.168.1.101 www netmask 255.255.255.255
ASA(config)# static (inside,outside) tcp xxx.xxx.249.197 www 192.168.1.101 www netmask 255.255.255.255 dns
now clear all dns caches ( local machines and local dns servers if any for the web site). Now when the inside client would initiate a dns query for the web site, the ASA will modify the A record for the web site to the 192.168.1.101 from xxx.xxx.249.197.
Thanks
Manish
02-27-2011 04:19 AM
Hi Manish:
I entered these commands, but it did not resolve my issue. I do not see where these commands affect the GUI. I might need to undo them if they cause a problem.
I give up. The configuration of this device is just too complex. I am entering commands that make no sense to me. It is not possible for me to troubleshoot this environment.
Thank you for your assistance anyway.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: